Hi John, I noticed this behavior a long time ago, where a User's IP address could change, but still maintain Session State.
Although 062 introduced some changes to how Sessions and UserReference keys are managed in Witango (to make them more secure), I don't know about the case where a User's IP address has changed in the middle of a valid session. IP addresses are less reliable than session-cookies for uniquely identifying an individual, but it can be a factor in terms of security. It's a good question. The circumstances for this should be rare: ~~ The User's ISP uses dynamic addresses - and the dynamic IP allocation happened while the User was in the middle of a Session. Innocent circumstance. ~~ A new User got a copied URL containing someone else's _UserReference argument, so now they are accidently hijacking/tailgating a Session from a different IP then the original User. 062 addresses this. ~~ A hacker has intercepted the UserReference key with a Network Sniffer and is now delibaretly hijacking a session, and the hacker's IP is different. Of course, a really "good" hacker would spoof their IP address to match the original. Rare, but possible. If you think it's happening more often than you like - then maybe a new security routine is in order for your application. Like recording the original IP address when a User logs in - then periodically checking that the User is still coming from the original IP address, if not, then purge the session.... Maybe another option in this case, might be to investigate the USERKEY configuration setting in the witango.ini file?? ---- As for when you're doing an upgrade, I typically un-install the old version before installing the latest build. Maybe I generated more questions than answers, but I hope this helps. Cheers..... Scott Cadillac, XML-Extranet - http://xmlx.ca 403-281-6090 - [EMAIL PROTECTED] Well-formed Development -- Extranet solutions using C# .NET, Witango, MSIE and XML -----Original Message----- From: "John Newsom" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Date: Tue, 14 Oct 2003 11:43:10 -0700 Subject: Witango-Talk: witango session cookie question > I noticed a bizarre occurance in my witango server log. The IP address > of the logged on user changed, but the session cookie stayed the same. > Attached is an excerpt from the log. > > We are running .054 version of Witango Server on a Win2K server, using > IIS as the web server. Is this the kind of issue fixed in the .062 > release? > > Second question. To install the .062 update, should the previous > installation be removed? I tried to do the modify option in the > installer, but the .dll file didn't change. > > Thanks, and I hope these questions weren't answered in previous posts! > I looked in the archives, but nothing precisely fit. > > John Newsom > > > _______________________________________________________________________ > _ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
